Menu
What's new
By:
Filters Better Search

Did I get hacked? (RT-AC86U)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

moshimoshi698

New Around Here
Hi,

I am not very computer savvy, and I am concerned about the security of my router's home network. Every day or two I check on my router's safety features and I noticed that certain things that are activated that I don't remember activating or being on by default (SAMBA was active and also Remote access for WAN). I don't ever recall turning these on. Are these settings on by default? Also, here is some code from my System Log, maybe there are some clues in here and some more knowledgeable people here could tell me if my account or network are compromised

May 4 22:05:05 kernel: klogd started: BusyBox v1.24.1 (2022-03-23 07:59:53 CST)
May 4 22:05:05 kernel: Linux version 4.1.27 (gitserv_asus@tpbuildsvrvu01) (gcc version 5.3.0 (Buildroot 2016.02) ) #2 SMP PREEMPT Wed Mar 23 08:55:15 CST 2022
May 4 22:05:05 kernel: CPU: AArch64 Processor [420f1000] revision 0
May 4 22:05:05 kernel: Kernel command line: coherent_pool=1M cpuidle_sysfs_switch
May 4 22:05:05 kernel: Virtual kernel memory layout:
May 4 22:05:05 kernel: vmalloc : 0xffffff8000000000 - 0xffffffbdffff0000 ( 247 GB)
May 4 22:05:05 kernel: vmemmap : 0xffffffbe00000000 - 0xffffffbfc0000000 ( 7 GB maximum)
May 4 22:05:05 kernel: 0xffffffbe00000000 - 0xffffffbe00700000 ( 7 MB actual)
May 4 22:05:05 kernel: fixed : 0xffffffbffabfd000 - 0xffffffbffac00000 ( 12 KB)
May 4 22:05:05 kernel: PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000 ( 16 MB)
May 4 22:05:05 kernel: modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB)
May 4 22:05:05 kernel: memory : 0xffffffc000000000 - 0xffffffc020000000 ( 512 MB)
May 4 22:05:05 kernel: .init : 0xffffffc000690000 - 0xffffffc0006c9000 ( 228 KB)
May 4 22:05:05 kernel: .text : 0xffffffc000080000 - 0xffffffc00068f264 ( 6205 KB)
May 4 22:05:05 kernel: .data : 0xffffffc0006ca000 - 0xffffffc000713f00 ( 296 KB)
May 4 22:05:05 kernel: Broadcom Logger v0.1
May 4 22:05:05 kernel: creating mapping for reserved memory phys 0x0c400000 virt 0xffffffc00c400000 size 0x00e00000 for dhd1
May 4 22:05:05 kernel: Do not need to create mapping for reserved memory phys 0x0e000000 size 0x02000000 for buffer
May 4 22:05:05 kernel: creating mapping for reserved memory phys 0x0d200000 virt 0xffffffc00d200000 size 0x00e00000 for flow
May 4 22:05:05 kernel: pmc_init:pMC using DQM mode
May 4 22:05:05 kernel: CPU1: Booted secondary processor
May 4 22:05:05 kernel: skbFreeTask created successfully
May 4 22:05:05 kernel: gbpm_do_work scheduled
May 4 22:05:05 kernel: ^[[0;34mBLOG v3.0 Initialized^[[0m
May 4 22:05:05 kernel: BLOG Rule v1.0 Initialized
May 4 22:05:05 kernel: Broadcom IQoS v0.1 initialized
May 4 22:05:05 kernel: Broadcom GBPM v0.1 initialized
May 4 22:05:05 kernel: nand: Could not find valid ONFI parameter page; aborting
May 4 22:05:05 kernel: >>>>> For primary mtd partition rootfs, cferam/vmlinux.lz mounted as JFFS2, vmlinux fs mounted as UBIFS <<<<<
May 4 22:05:05 kernel: Secondary mtd partition rootfs_update detected as JFFS2 for cferam/vmlinux source and UBIFS for vmlinux filesystem
May 4 22:05:05 kernel: setup_mtd_parts: misc indx 2 name misc3 nvram configured size 1
May 4 22:05:05 kernel: setup_mtd_parts: name misc3 configured size 0x00100000 offset 0xF600000
May 4 22:05:05 kernel: setup_mtd_parts: misc indx 1 name misc2 nvram configured size 47
May 4 22:05:05 kernel: setup_mtd_parts: name misc2 configured size 0x02f00000 offset 0xC700000
May 4 22:05:05 kernel: setup_mtd_parts: misc indx 0 name misc1 nvram configured size 8
May 4 22:05:05 kernel: setup_mtd_parts: name misc1 configured size 0x00800000 offset 0xBF00000
May 4 22:05:05 kernel: Creating 11 MTD partitions on "brcmnand.0":
 
Samba is on by default if you have a USB drive plugged in but remote access is not. They might be enabled if you use the Asus phone app.

Your log only shows the beginning of the router's normal startup.

What firmware version are you using?
 
Anyone who has doubts, no matter how small, should just start clean. And that includes reflashing the firmware, even if it's the same as currently installed, and a factory reset afterwards. Of course, take notice of the defaults at that point and disable the things you don't need.

For example, there's really no need to have Samba enabled unless you intend to share those files on the network. But if you're just using it to support Entware (i.e., internally to the router), it's unnecessary.
 
ColinTaylor said:
Samba is on by default if you have a USB drive plugged in but remote access is not. They might be enabled if you use the Asus phone app.

Your log only shows the beginning of the router's normal startup.

What firmware version are you using?
Click to expand...
Hi,

My firmware version is 3.0.0.4.386_48260. I did set it up with the ASUS Phone App and binded an e-mail address to it. Here is more code in my system log for analysis. I'm not sure what to make of this.

Jul 17 15:44:50 wlceventd: wlceventd_proc_event(527): eth6: Auth 9A:45:FF:5E:23:6D, status: Successful (0), rssi:0
Jul 17 15:44:50 wlceventd: wlceventd_proc_event(556): eth6: Assoc 9A:45:FF:5E:23:6D, status: Successful (0), rssi:0
Jul 17 15:44:53 dhcp client: bound 104.173.1.33/255.255.224.0 via 104.173.0.1 for 63924 seconds.
Jul 17 15:44:58 wlceventd: wlceventd_proc_event(527): eth6: Auth B8:BC:5B:EA:D1:CF, status: Successful (0), rssi:0
Jul 17 15:44:58 wlceventd: wlceventd_proc_event(556): eth6: Assoc B8:BC:5B:EA:D1:CF, status: Successful (0), rssi:0
Jul 17 15:44:59 kernel: bcm_mcast_mld_add:833 mc_fdb->rep_list ffffffc0104bd068 next ffffffc0143f71e0 prev ffffffc0143f71e0 rep_entry->list ffffffc0143f71e0 next ffffffc0104bd068 prev ffffffc0104bd068
Jul 17 15:44:59 kernel: bcm_mcast_mld_add:833 mc_fdb->rep_list ffffffc0104bd128 next ffffffc01933dba0 prev ffffffc01933dba0 rep_entry->list ffffffc01933dba0 next ffffffc0104bd128 prev ffffffc0104bd128
Jul 17 15:45:09 wlceventd: wlceventd_proc_event(527): eth6: Auth 6C:A1:00:17:68:4B, status: Successful (0), rssi:0
Jul 17 15:45:09 wlceventd: wlceventd_proc_event(556): eth6: Assoc 6C:A1:00:17:68:4B, status: Successful (0), rssi:0
Jul 17 15:45:15 kernel: jffs2: warning: (1786) jffs2_sum_write_data: Summary too big (-32 data, -1552 pad) in eraseblock at 005e0000
Jul 17 15:45:28 wlceventd: wlceventd_proc_event(508): eth6: Disassoc B8:BC:5B:EA:D1:CF, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Jul 17 15:45:28 wlceventd: wlceventd_proc_event(527): eth6: Auth B8:BC:5B:EA:D1:CF, status: Successful (0), rssi:0
Jul 17 15:45:28 wlceventd: wlceventd_proc_event(556): eth6: Assoc B8:BC:5B:EA:D1:CF, status: Successful (0), rssi:-37
Jul 17 15:45:29 crond[1739]: time disparity of 2210020 minutes detected
Jul 17 15:45:33 wlceventd: wlceventd_proc_event(527): eth6: Auth 64:07:F6:3E:8E:DD, status: Successful (0), rssi:0
Jul 17 15:45:33 wlceventd: wlceventd_proc_event(556): eth6: Assoc 64:07:F6:3E:8E:DD, status: Successful (0), rssi:0
Jul 17 15:45:51 kernel: bcm_mcast_mld_add:833 mc_fdb->rep_list ffffffc014efc128 next ffffffc0105629a0 prev ffffffc0105629a0 rep_entry->list ffffffc0105629a0 next ffffffc014efc128 prev ffffffc014efc128
Jul 17 15:45:51 kernel: bcm_mcast_mld_add:833 mc_fdb->rep_list ffffffc0104bd068 next ffffffc014190f20 prev ffffffc014190f20 rep_entry->list ffffffc014190f20 next ffffffc0104bd068 prev ffffffc0104bd068
Jul 17 15:46:23 ahs: [read_json]Update ahs JSON file.
Jul 17 15:46:38 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7630)]periodic_check AM 5:35
Jul 17 15:46:38 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7669)]do webs_update
Jul 17 15:46:38 hour monitor: ntp sync fail, will retry after 120 sec
Jul 17 15:46:42 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7687)]retrieve firmware information
Jul 17 15:46:42 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7690)]user in use
Jul 17 15:47:06 rc_service: httpds 1740:notify_rc start_webs_update
Jul 17 15:47:12 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7669)]do webs_update
Jul 17 15:47:17 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7687)]retrieve firmware information
Jul 17 15:47:17 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7690)]user in use
Jul 17 15:47:47 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7669)]do webs_update
Jul 17 15:47:47 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7687)]retrieve firmware information
Jul 17 15:47:47 WATCHDOG: [FAUPGRADE][auto_firmware_check:(7690)]user in use
Jul 17 15:59:39 acsd: selected channel spec: 0x100a (10)
Jul 17 15:59:39 acsd: Adjusted channel spec: 0x100a (10)
Jul 17 15:59:39 acsd: selected channel spec: 0x100a (10)
Jul 17 15:59:39 acsd: acs_set_chspec: 0x100a (10) for reason APCS_CSTIMER
Jul 17 16:00:41 wlceventd: wlceventd_proc_event(527): eth5: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:00:41 wlceventd: wlceventd_proc_event(556): eth5: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:00:45 disk_monitor: Got SIGALRM...
Jul 17 16:00:49 wlceventd: wlceventd_proc_event(491): eth5: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-48
Jul 17 16:01:01 wlceventd: wlceventd_proc_event(527): eth6: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:01:01 wlceventd: wlceventd_proc_event(556): eth6: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:01:01 wlceventd: wlceventd_proc_event(508): eth5: Disassoc D4:F0:57:EC:4D:85, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Jul 17 16:01:09 wlceventd: wlceventd_proc_event(491): eth6: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-24
Jul 17 16:09:40 wlceventd: wlceventd_proc_event(527): eth5: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:09:40 wlceventd: wlceventd_proc_event(556): eth5: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:09:42 wlceventd: wlceventd_proc_event(491): eth5: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-48
Jul 17 16:09:54 wlceventd: wlceventd_proc_event(527): eth6: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:09:54 wlceventd: wlceventd_proc_event(556): eth6: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:09:54 wlceventd: wlceventd_proc_event(508): eth5: Disassoc D4:F0:57:EC:4D:85, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Jul 17 16:10:02 wlceventd: wlceventd_proc_event(491): eth6: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-24
Jul 17 16:10:59 rc_service: httpds 1740:notify_rc start_webs_update
Jul 17 16:14:16 rc_service: httpds 1740:notify_rc stop_samba
Jul 17 16:14:16 Samba Server: smb daemon is stoped
Jul 17 16:14:29 wlceventd: wlceventd_proc_event(527): eth5: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:14:29 wlceventd: wlceventd_proc_event(556): eth5: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:14:33 wlceventd: wlceventd_proc_event(491): eth5: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-47
Jul 17 16:14:41 acsd: selected channel spec: 0x1009 (9)
Jul 17 16:14:41 acsd: Adjusted channel spec: 0x1009 (9)
Jul 17 16:14:41 acsd: selected channel spec: 0x1009 (9)
Jul 17 16:14:41 acsd: acs_set_chspec: 0x1009 (9) for reason APCS_CSTIMER
Jul 17 16:14:45 wlceventd: wlceventd_proc_event(527): eth6: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:14:45 wlceventd: wlceventd_proc_event(556): eth6: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 16:14:53 wlceventd: wlceventd_proc_event(491): eth6: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-24
Jul 17 16:29:42 acsd: selected channel spec: 0x1008 (8)
Jul 17 16:29:42 acsd: Adjusted channel spec: 0x1008 (8)
Jul 17 16:29:42 acsd: selected channel spec: 0x1008 (8)
Jul 17 16:29:42 acsd: acs_set_chspec: 0x1008 (8) for reason APCS_CSTIMER
Jul 17 16:44:45 acsd: selected channel spec: 0x1009 (9)
Jul 17 16:44:45 acsd: Adjusted channel spec: 0x1009 (9)
Jul 17 16:44:45 acsd: selected channel spec: 0x1009 (9)
Jul 17 16:44:45 acsd: acs_set_chspec: 0x1009 (9) for reason APCS_CSTIMER
Jul 17 16:59:46 acsd: selected channel spec: 0x100a (10)
Jul 17 16:59:46 acsd: Adjusted channel spec: 0x100a (10)
Jul 17 16:59:46 acsd: selected channel spec: 0x100a (10)
Jul 17 16:59:46 acsd: acs_set_chspec: 0x100a (10) for reason APCS_CSTIMER
Jul 17 17:00:40 wlceventd: wlceventd_proc_event(527): eth5: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 17:00:40 wlceventd: wlceventd_proc_event(556): eth5: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 17:00:44 wlceventd: wlceventd_proc_event(491): eth5: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-45
Jul 17 17:00:57 wlceventd: wlceventd_proc_event(527): eth6: Auth D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 17:00:57 wlceventd: wlceventd_proc_event(556): eth6: Assoc D4:F0:57:EC:4D:85, status: Successful (0), rssi:0
Jul 17 17:00:57 wlceventd: wlceventd_proc_event(508): eth5: Disassoc D4:F0:57:EC:4D:85, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Jul 17 17:01:05 wlceventd: wlceventd_proc_event(491): eth6: Deauth_ind D4:F0:57:EC:4D:85, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:-26
Jul 17 17:04:29 rc_service: httpds 1740:notify_rc start_webs_update
Jul 17 17:06:19 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link DOWN.
Jul 17 17:06:22 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link UP 10 mbps full duplex
 
Compromised routers typically don't leave a trace in the syslog. You have to review the running process or check the /jffs/wglist and /ffs/ahs.log content to see if anything unusual was spotted.
 
You must log in or register to reply here.

Similar threads

delikid
RT-AX86U - log entry changes from FEB to MAY for 6 seconds?
Replies
2
Views
395
Tech9
Tech9
Rick Dean
Asus RT-AX86U How to stop hackers...Nothing works
2
Replies
25
Views
4K
RMerlin
RMerlin
I
RT-AX86U crashing and rebooting few times a day
Replies
2
Views
1K
imisic
I
johnday29
Asus CT8 keeps going down, Please Help!
Replies
2
Views
2K
johnday29
johnday29
J
Continueous Router resets
Replies
3
Views
2K
toaruScar
toaruScar
Similar threads
Thread starter Title Forum Replies Date
I Not getting full speed with Asus RT-AC86U Routers 32

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 994 (members: 34, guests: 960)
Top